Bug 1799891

Summary: RHCOS UEFI images are not secure boot compliant
Product: OpenShift Container Platform Reporter: Ben Howard <behoward>
Component: RHCOSAssignee: Ben Howard <behoward>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.4CC: bbreard, dustymabe, imcleod, jligon, knewcome, miabbott, nstielau, smilner
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-13 21:56:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Howard 2020-02-06 19:29:57 UTC 
RHCOS is UEFI capable but is missing the firmware support for Secure UEFI. As a result, on certain bare metal hardware and cloud providers (Azure Gen2) RHCOS will not boot. 

Our current EFI layout is:
[root@ibm-p8-kvm-03-guest-02 boot]# find efi -type f -exec md5sum {} \; | sort
805369650ed821476003893402c7c8df  efi/EFI/redhat/grub.cfg
a1a08d1393070ef05a912cd08f132a70  efi/EFI/BOOT/grubx64.efi
c748cde9827385f9832a4f0ab1f02550  efi/EFI/BOOT/BOOTX64.EFI

We are missing:
- shim64.efi: provides the MS signing key.
- fbx64.efi: fallback shim in case a disk is moved
- mmx64.efi: needed for key-enrollment for GPL compliance of the SHIM
Comment 1 Ben Howard 2020-02-06 19:31:01 UTC 
Fix proposed for CoreOS Assembler.
https://github.com/coreos/coreos-assembler/pull/1105
Comment 2 Ben Howard 2020-02-06 21:57:57 UTC 
PR merged. Confirmed that the fix registers keys.
Comment 3 Micah Abbott 2020-03-12 19:59:15 UTC 
Pushing back to MODIFIED to attach to errata
Comment 6 Steve Milner 2020-03-12 20:03:57 UTC 
Pulled image from https://github.com/openshift/installer/pull/3271:

General cosa run:
[core@ibm-p8-kvm-03-guest-02 boot]$ find efi -type f -exec md5sum {} \; | sort
05557eab696d7b70a2a45ed8126685d3  efi/EFI/redhat/grubx64.efi
05cc95b356fb10e84dcdccb09aa0f032  efi/EFI/redhat/shimx64-redhat.efi
3a0b681a2558863e117d71f3e5c504fc  efi/EFI/redhat/grub.cfg
5a1d0059397afc447de3561d7d508ff3  efi/EFI/redhat/mmx64.efi
b90ffff182e4b99380e6e4d2a9e33753  efi/EFI/redhat/BOOTX64.CSV
c748cde9827385f9832a4f0ab1f02550  efi/EFI/BOOT/BOOTX64.EFI
c748cde9827385f9832a4f0ab1f02550  efi/EFI/redhat/shimx64.efi
f8b0bf703a67a957d946f7278e01dc08  efi/EFI/BOOT/fbx64.efi
[core@ibm-p8-kvm-03-guest-02 boot]$ 


Same results with --uefi and --uefi-secure when using uefi.
Comment 7 Micah Abbott 2020-03-13 13:28:17 UTC 
Per comment #6, moving to VERIFIED
Comment 9 errata-xmlrpc 2020-05-13 21:56:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581